default dns config change causing major poolpah

Remko Lodder remko at FreeBSD.org
Wed Aug 1 22:00:06 UTC 2007 

Doug Barton wrote:
> Replying en masse to bring related thoughts together. It was already
> posted, but a more complete treatment of my reasoning is found at:
> 
> http://lists.oarci.net/pipermail/dns-operations/2007-August/001856.html
> 
> Skip Ford wrote:
>> Randy Bush wrote:
>>> the undiscussed and unannounced change to the default dns config
>>>  to cause local transfer of the root and arpa zone files has 
>>> raised major discussing in the dns operational community. (see 
>>> the mailing list dns-operations at mail.oarc.isc.org).
>>>
>>> did i miss the discussion here?
>> No.  There was none.
>>
>>> i have spent some hours turning off the default bind and going 
>>> custom on a dozen or so machines around the planet.  i am not 
>>> happy.
> 
> Randy,
> 
> You might make your life a little easier by checking out src.conf(1)
> in 7-current and make.conf(1) in 6-stable which both document the
> various NO_BIND_* knobs that are available. What you probably want is
> NO_BIND_ETC.
> 
>> I don't have an axe to grind.  I don't run the default config on 
>> any of my 2 dozen name servers (not all of which run bind anyway) 
>> so I wasn't really affected by the change.
>>
>> However, I thought it was a really, really, terrible idea,
> 
> You're entitled to your opinion. If you take a look at the thread on
> the dns-operations list you'll see that there are a lot of really
> smart people lined up on both sides of this argument.
> 
>> and a rather rude act considering it relies on the charity of 
>> others to not break.
> 
> The same can be said of the root server network in general.
> 
>> There is no requirement that FreeBSD users be permitted to slave 
>> the roots.  Everyone who uses the default config can have their 
>> setups broken the day after installation.
> 
> The root server operators do not make changes in this kind of abrupt
> fashion.
> 
>> We never asked permission to use the resources of others in this
>> way, and they're not required to allow us to do so.
> 
> Once again, the same is true of resolution from the root servers as well.
> 
>> The original commit message for the change indicated it was done to
>>  bring us in line with "current best practices" but that commit 
>> message is the only place I have ever seen anyone say that slaving 
>> the roots is current best practice.
> 
> The BCP comment you're referring to was in regards to the default
> localhost zone generation which is not in any way related. Please see:
> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf
> 
> Heiko Wundram (Beenic) wrote:
>> Am Mittwoch 01 August 2007 13:07:27 schrieb Skip Ford:
>>> <snip>
>> You might want to check the thread starting with:
>>
>> <200707162319.41724.lofi at freebsd.org> ("Problems with named default
>> configuration in 6-STABLE")
> 
> Easier for most folks to access this by:
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=207558+0+archive/2007/freebsd-stable/20070722.freebsd-stable
> 
> That thread involved an issue of resolving local zones that could not
> be resolved because of a combination of slaving the root zone and the
> new default empty reverse zones for RFC 1918 space; and how that
> interacted with the forwarders clause that user had in his config.
> 
> Dag-Erling Smørgrav wrote:
> 
>> This is about on par with <unnamed network equipment manufacturer> 
>> selling SOHO routers that synchronize their clocks using stratum-1
>> NTP servers. 
> 
> I don't really think that analogy holds up, given that those who run
> public stratum-1 NTP servers specifically request that individual
> hosts not sync from them. The root server operators have a choice of
> whether to enable AXFR or not. Also, that configuration could not be
> changed, but named.conf can be changed easily.
> 
> If there is a consensus based on solid technical reasons (not emotion
> or FUD) to back the root zone slaving change out, I'll be glad to do
> so. I think it would be very useful at this point if those who _like_
> the change would speak up publicly as well.
> 
> 
> Regards,
> 
> Doug
> 

I like the change!

-- 
Kind regards,

     Remko Lodder               ** remko at elvandar.org
     FreeBSD                    ** remko at FreeBSD.org

     /* Quis custodiet ipsos custodes */

More information about the freebsd-stable mailing list